[nft PATCH] evaluate: reject: Allow icmpx in inet/bridge families

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Commit 3e6ab2b335142 added restraints on reject types for bridge and
inet families but aparently those were too strict: If a rule in e.g.
inet family contained a match which introduced a protocol dependency,
icmpx type rejects were disallowed for no obvious reason.

Allow icmpx type rejects in inet family regardless of protocol
dependency since we either have IPv4 or IPv6 traffic in there and for
both icmpx is fine.

Merge restraints in bridge family with those for TCP reset since it
already does what is needed, namely checking that ether proto is either
IPv4 or IPv6.

Fixes: 3e6ab2b335142 ("evaluate: reject: check in bridge and inet the network context in reject")
Signed-off-by: Phil Sutter <phil@xxxxxx>
---
 src/evaluate.c                      |  7 +----
 tests/py/bridge/reject.t            |  5 ++++
 tests/py/bridge/reject.t.json       | 44 +++++++++++++++++++++++++++++
 tests/py/bridge/reject.t.payload    | 12 ++++++++
 tests/py/inet/reject.t              |  3 ++
 tests/py/inet/reject.t.json         | 42 +++++++++++++++++++++++++++
 tests/py/inet/reject.t.payload.inet | 12 ++++++++
 7 files changed, 119 insertions(+), 6 deletions(-)

diff --git a/src/evaluate.c b/src/evaluate.c
index 1fc861f600b4d..86895d32dbdd6 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2142,9 +2142,7 @@ static int stmt_evaluate_reject_inet_family(struct eval_ctx *ctx,
 	case NFT_REJECT_TCP_RST:
 		break;
 	case NFT_REJECT_ICMPX_UNREACH:
-		return stmt_binary_error(ctx, stmt->reject.expr,
-				    &ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR],
-				    "conflicting network protocol specified");
+		break;
 	case NFT_REJECT_ICMP_UNREACH:
 		base = ctx->pctx.protocol[PROTO_BASE_LL_HDR].desc;
 		protocol = proto_find_num(base, desc);
@@ -2195,9 +2193,6 @@ static int stmt_evaluate_reject_bridge_family(struct eval_ctx *ctx,
 
 	switch (stmt->reject.type) {
 	case NFT_REJECT_ICMPX_UNREACH:
-		return stmt_binary_error(ctx, stmt->reject.expr,
-				    &ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR],
-				    "conflicting network protocol specified");
 	case NFT_REJECT_TCP_RST:
 		base = ctx->pctx.protocol[PROTO_BASE_LL_HDR].desc;
 		protocol = proto_find_num(base, desc);
diff --git a/tests/py/bridge/reject.t b/tests/py/bridge/reject.t
index d1c2ecab5fc07..ad5280f7d5730 100644
--- a/tests/py/bridge/reject.t
+++ b/tests/py/bridge/reject.t
@@ -37,3 +37,8 @@ ether type arp reject;fail
 ether type vlan reject with tcp reset;fail
 ether type arp reject with tcp reset;fail
 ip protocol udp reject with tcp reset;fail
+
+ether type ip reject with icmpx type admin-prohibited;ok
+ether type ip6 reject with icmpx type admin-prohibited;ok
+ether type vlan reject with icmpx type admin-prohibited;fail
+ether type arp reject with icmpx type admin-prohibited;fail
diff --git a/tests/py/bridge/reject.t.json b/tests/py/bridge/reject.t.json
index aa716f8070666..c0bed56e6ce41 100644
--- a/tests/py/bridge/reject.t.json
+++ b/tests/py/bridge/reject.t.json
@@ -219,3 +219,47 @@
     }
 ]
 
+# ether type ip reject with icmpx type admin-prohibited
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "ether"
+                }
+            },
+            "op": "==",
+            "right": "ip"
+        }
+    },
+    {
+        "reject": {
+            "expr": "admin-prohibited",
+            "type": "icmpx"
+        }
+    }
+]
+
+# ether type ip6 reject with icmpx type admin-prohibited
+[
+    {
+        "match": {
+            "left": {
+                "payload": {
+                    "field": "type",
+                    "protocol": "ether"
+                }
+            },
+            "op": "==",
+            "right": "ip6"
+        }
+    },
+    {
+        "reject": {
+            "expr": "admin-prohibited",
+            "type": "icmpx"
+        }
+    }
+]
+
diff --git a/tests/py/bridge/reject.t.payload b/tests/py/bridge/reject.t.payload
index b984f6f8de4d6..888179df9c977 100644
--- a/tests/py/bridge/reject.t.payload
+++ b/tests/py/bridge/reject.t.payload
@@ -106,3 +106,15 @@ bridge test-bridge input
 bridge test-bridge input
   [ reject type 2 code 1 ]
 
+# ether type ip reject with icmpx type admin-prohibited
+bridge test-bridge input
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x00000008 ]
+  [ reject type 2 code 3 ]
+
+# ether type ip6 reject with icmpx type admin-prohibited
+bridge test-bridge input
+  [ payload load 2b @ link header + 12 => reg 1 ]
+  [ cmp eq reg 1 0x0000dd86 ]
+  [ reject type 2 code 3 ]
+
diff --git a/tests/py/inet/reject.t b/tests/py/inet/reject.t
index cb3caa4aca5c8..0e8966c9a389c 100644
--- a/tests/py/inet/reject.t
+++ b/tests/py/inet/reject.t
@@ -34,3 +34,6 @@ meta nfproto ipv6 reject with icmp type host-unreachable;fail
 meta nfproto ipv4 ip protocol icmp reject with icmpv6 type no-route;fail
 meta nfproto ipv6 ip protocol icmp reject with icmp type host-unreachable;fail
 meta l4proto udp reject with tcp reset;fail
+
+meta nfproto ipv4 reject with icmpx type admin-prohibited;ok
+meta nfproto ipv6 reject with icmpx type admin-prohibited;ok
diff --git a/tests/py/inet/reject.t.json b/tests/py/inet/reject.t.json
index 0939f4450509b..46d4857a57c99 100644
--- a/tests/py/inet/reject.t.json
+++ b/tests/py/inet/reject.t.json
@@ -238,3 +238,45 @@
     }
 ]
 
+# meta nfproto ipv4 reject with icmpx type admin-prohibited
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "nfproto"
+                }
+            },
+            "op": "==",
+            "right": "ipv4"
+        }
+    },
+    {
+        "reject": {
+            "expr": "admin-prohibited",
+            "type": "icmpx"
+        }
+    }
+]
+
+# meta nfproto ipv6 reject with icmpx type admin-prohibited
+[
+    {
+        "match": {
+            "left": {
+                "meta": {
+                    "key": "nfproto"
+                }
+            },
+            "op": "==",
+            "right": "ipv6"
+        }
+    },
+    {
+        "reject": {
+            "expr": "admin-prohibited",
+            "type": "icmpx"
+        }
+    }
+]
+
diff --git a/tests/py/inet/reject.t.payload.inet b/tests/py/inet/reject.t.payload.inet
index 7a6468e81f9e7..ee1aae02f1e1d 100644
--- a/tests/py/inet/reject.t.payload.inet
+++ b/tests/py/inet/reject.t.payload.inet
@@ -220,3 +220,15 @@ inet test-inet input
   [ cmp eq reg 1 0x0000000a ]
   [ reject type 0 code 0 ]
 
+# meta nfproto ipv4 reject with icmpx type admin-prohibited
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x00000002 ]
+  [ reject type 2 code 3 ]
+
+# meta nfproto ipv6 reject with icmpx type admin-prohibited
+inet test-inet input
+  [ meta load nfproto => reg 1 ]
+  [ cmp eq reg 1 0x0000000a ]
+  [ reject type 2 code 3 ]
+
-- 
2.18.0




[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux